Security Clearances

Contractor IT staff working on federal contracts hold Public Trust positions and must have background investigations at the appropriate level. A brief outline of the clearance process is given below, along with links to sample filled-out forms. Links to additional information about OPM investigations and clearances are provided at the end of this document.

The requirement for background investigations applies only to applicable contractors. Offerors are not required to obtain background investigations to submit a proposal. Refer to Section L of the RFP to determine if security investigations will be required for any contract resulting from an award.

Personnel Security Clearance Process

The Project Officer and Information Systems Security Officer (ISSO) determine which contract employees need background investigations and level of clearance needed. The Contracting Officer will inform the contractor which positions require background investigations and the levels for each, and request a contact e-mail address and phone number for each person who needs a background investigation. Contract employees will receive further instructions via email from the NIH Division of Personnel Security and Access Control (DPSAC). Contract employees must use the web application e-QIP, to complete the forms, except for the Fingerprint Card.

Personnel Security Investigation Forms

Non-Sensitive Positions (Level 1) make up the majority of HHS positions because of the nature of the primary responsibilities of this Department. The following forms are required for each contract employee assigned to a Level 1 *:

FIPS 199 Assessment

The Federal Information Processing Standards (FIPS) 199 Assessment was designed by the Federal Government to develop standards for categorizing information and information systems in order to protect both the Government and contractors from the risks associated with compromise of the confidentiality, integrity, or availability of information. The security categories are based on the potential impact on an organization should certain events occur that jeopardize the information and information systems needed by an organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.

Systems IT Security Plan (IT-SP)

A System IT Security Plan (IT-SP) is required when the overall sensitivity and criticality level is moderate or greater; however, there may be instances when an SSP is required when the sensitivity and criticality levels are low.

IT Security Risk Assessment (IT-RA)

The purpose of an information technology risk assessment (IT-RA) is to provide the Federal Government, as well as senior leaders/executives and principal investigators, with the information needed to determine appropriate courses of action in response to identified risks. Risk assessments also help organizations monitor operations on an ongoing basis to determine whether risks have increased to unacceptable levels and have exceeded the organizations risk tolerance.

IT System Certification and Accreditation (IT-SC&A)

The information technology certification and accreditation be used by the Designated Approving Authority (DAA) on the contract to acknowledge compliance with the documented security controls associated with the contract system(s) or application(s) under their control. The documented security controls and impact analysis are located in the respective IT Security Plan (IT-SP), FIPS 199 Assessment, and IT Risk Assessment (IT-RA). The IT-SC&A should be signed by the DAA on the contract. The DAA is the individual who formally assumes responsibility for operating the information technology systems under the contract’s purview at an acceptable level of risk. The DAA is often the contractor’s Director of Information Technology, Chief Information Officer or similar role.

The federal government has established a policy for the protection of federal information in cloud services under the Federal Risk and Authorization Management Program (FedRAMP). Under the FedRAMP policy, agencies that leverage existing cloud based-services or plan to acquire cloud based services (other than private cloud-based services) must initiate an authorization and use the FedRAMP information security and privacy requirements (including security and privacy controls, and controls selected for continuous monitoring) for cloud services to support authorization decisions. Contacts that will utilize cloud-based systems must use FedRAMP templates rather than the NHLBI IT Security deliverable templates provided. Additional information regarding FedRAMP can be found at http://www.fedramp.gov/.